NetSPI analyzed a UEFI PNG decoder from BIOS firmware and found a buffer over-read caused by spoofing the PNG IDAT chunk length, even though the code already included a LogoFail-style size check. By emulating the module with Qiling, they showed the flaw can force reads past the image buffer during boot and potentially leak sensitive data from memory or NVRAM. #NetSPI #Qiling #PngDecoderDxe #LogoFail
Keypoints
- The investigation focused on a PNG decoder module extracted from BIOS/UEFI firmware.
- The module appeared to handle the known LogoFail overflow condition by rejecting oversized allocations above 0x7fffffff.
- A different flaw was found: the decoder did not properly validate the PNG IDAT chunk length during reads.
- NetSPI used Qiling to emulate the UEFI environment, map memory, and hook allocation and cleanup functions.
- A poisoned PNG with an inflated IDAT length caused the decoder to read past the end of the legitimate input buffer.
- The over-read triggered an unmapped memory access in emulation, proving the bug and showing it could leak boot-time memory contents.
- The post explains how stack spraying, manual heap mapping, and tracing were used to isolate and reproduce the issue.
MITRE Techniques
- [T1055 ] Process Injection – The emulation framework hooks and redirects execution into custom Python handlers instead of letting the firmware call its normal services (‘when it gets to the address we have saved in FREE_POOL_CALL_ADDR, it will instead jump directly to our code first’).
- [T1106 ] Native API – The code substitutes UEFI Boot Services such as AllocatePool and FreePool with inline handlers to control memory behavior (‘we use Qiling to perform inline substitution of these critical services’).
- [T1005 ] Data from Local System – The over-read is used to extract data from local firmware memory and dump it to a file (‘it could leak sensitive data from memory or NVRAM’ and ‘reads past the buffer boundary’).
- [T1499 ] Endpoint Denial of Service – The invalid read can crash or abort execution when the decoder accesses unmapped memory (‘CRITICAL SYSTEM ABORT: UNMAPPED MEMORY ACCESS’).
- [T1057 ] Process Discovery – The tracing logic inspects execution flow and register state to understand what the firmware is doing (‘provide a real-time disassembly of executed instructions’).
Indicators of Compromise
- [File names ] Emulation target and test artifacts – PngDecoderDxe.bin, lenna.png, lenna.poison, lenna_final.raw
- [Memory addresses ] Emulation and fault context – 0x9000000, 0x60419000, 0x104106, and other offsets such as 0x45f0 and 0x4770
- [File size / length values ] Spoofed and observed chunk sizes – 0x400000, 0x800000, 0x7fffffff, 0x90000000, and 0xe7542
- [Chunk type ] PNG structure manipulated in the proof of concept – IDAT